Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 14:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

"Best Guess" unknown keyboard / language variants

Browse source 
If the lookup table does not have an entry, it will just log as the raw decimal language/keyboard code. With this change, if we do not have an entry in the lookup table, we'll look at the low order / 4 least significant bits to see if we have a match. The high order / 4 most significant bits are flags/modifiers to the base language/keyboard code. We'll append that it is a "Best Guess"

(This is my first attempt at Zeek scripting, apologies upfront if I'm missing obvious language features. I feel like the const language lookup should return a success/fail return code that we would key off of, but unsure how to accomplish that so instead went for string matching on value in == value out).
This commit is contained in:
jeff-bb 2023-01-19 16:55:23 -06:00 committed by GitHub
parent 80a3f5814b
commit dd2cdb064b
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 7 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

7
scripts/base/protocols/rdp/main.zeek
View file

@ -188,6 +188,13 @@ event rdp_client_core_data(c: connection, data: RDP::ClientCoreData) &priority=5
set_session(c); set_session(c);
c$rdp$keyboard_layout = RDP::languages[data$keyboard_layout]; c$rdp$keyboard_layout = RDP::languages[data$keyboard_layout];
if (c$rdp$keyboard_layout == fmt("keyboard-%d", data$keyboard_layout))
{
c$rdp$keyboard_layout = RDP::languages[data$keyboard_layout & 0xffff];
c$rdp$keyboard_layout = c$rdp$keyboard_layout + " (Best Guess)";
}
c$rdp$client_build = RDP::builds[data$client_build]; c$rdp$client_build = RDP::builds[data$client_build];
c$rdp$client_name = data$client_name; c$rdp$client_name = data$client_name;
c$rdp$client_dig_product_id = data$dig_product_id; c$rdp$client_dig_product_id = data$dig_product_id;